Compliance Guidance Template

Controller’s Office
Compliance Guidance Template
GLBA Safeguards Rule Information Security Program
PURPOSE: As mandated by the Federal Trade Commission (FTC) under the Gramm-Leach-Bliley Act (GLBA) Safeguards
Rule, the University of Minnesota must develop and maintain an Information Security Program (ISP) to protect the
security, confidentiality and integrity of customer information. Customer information in this context includes any
nonpublic personally identifiable financial information obtained in connection with a financial product or service, such as
student loans.
The Controller’s Office coordinates the ISP for the University. Each college or major administrative unit that handles or
maintains customer information must have processes and procedures to:
(a) Identify and assess reasonably foreseeable risks associated with customer data;
(b) Design, implement, test and monitor administrative, technical, and physical safeguards to protect the data;
(c) Oversee service providers; and
(d) Evaluate and adjust processes and procedures at least annually, reporting back to the Controller’s Office.
The Compliance Guidance Template must be completed and maintained on file by colleges and major administrative
units that must comply with University’s Information Security Program. Additional guidance is available on the
Controller’s Office website.
College or Major Administrative Unit:
Contact Name
Contact Phone No:
Contact Email Address:
1. Describe activities in your college or administrative unit that involve customer information subject to the
Safeguards Rule.
Examples: Financial aid administration. We collect and maintain financial aid forms, FAFSA forms and associated documentation such as tax forms.
Controller’s Office
Help: or 612-624-1617 Page 1 of 4
Controller’s Office
2. Describe risks that could jeopardize the security or confidentiality of customer information in your care. Include
risks in the following three areas of operation and in other areas as applicable.
A. Employee training and management:
Risk: Employees and management must understand and follow University policies and practices in order to protect customer information from external or
internal risks.
Safeguard: All new employees complete the Public Jobs: Private Data training and customized modules within the first two months of employment. Sufficient
tracking mechanisms are in place to notify managers if a new employee has not completed the required modules.
B. Information systems:
Risk: A risk exists if an employee downloads customer data to a laptop to work at home without following current policies.
Safeguard: We are instituting additional training to ensure that employees follow proper protocols.
C. Detecting, preventing and responding to attacks against University systems:
Risk: Systems must be monitored and tested to ensure customer data is protected from internal or external compromise.
Safeguard: Current OIT SEC practices including firewalls, anti-virus protection, and activity logs are sufficient to control risks. Anomalies in logs are reviewed in
order to detect possible security issues.
D. Risks and safeguards in other areas of operations:
Controller’s Office
Help: or 612-624-1617 Page 2 of 4
Controller’s Office
3. Describe additional administrative, technical and physical safeguards that are used to manage risks identified
above. Describe how you monitor and test the effectiveness of these safeguards.
Administrative Safeguards:
Background checks are conducted before hiring employees who will have access to certain customer information.
All new employees sign an agreement to follow University data handling policies and practices.
New employees must complete relevant modules of the PJPD training. Completion is tracked in Learning System.
Breach notification policies are in place.
Technical Safeguards:
Employees with access to customer information must use “strong” passwords that must be changed on a regular basis.
Customer information is protected in transit through a Secure Sockets Layer (SSL) or other secure connection.
Follow University OIT SEC policies and procedures regarding data protection.
End user device encryption is enabled on University laptops.
Firewalls, anti-virus solutions, and patch management are mandated per University policy.
Systems lock after a period of inactivity and screensaver passwords are required for an inactive system.
Physical Safeguards:
Paper records with customer information are stored in a locked cabinet when unattended.
Servers that contain customer information are stored in physically-secure areas.
Follow University policies and procedures regarding data retention and destruction.
Data center environments are secure areas with limited access to those with a need to access the area.
Methods used to monitor and test the effectiveness of these safeguards:
Manager follows up with new employees who have not completed PJPD modules.
OIT has methods in place to regularly monitor and test network security.
Controller’s Office
Help: or 612-624-1617 Page 3 of 4
Controller’s Office
4. Third Party Service Providers
Under the Safeguards Rule the University must select and retain only those service providers that maintain appropriate
safeguards for customer information as established by the University’s Information Security Program. In addition, the University
must contractually require service providers to implement and maintain such safeguards. Currently this requirement is managed
by Purchasing for contracts over $50,000. Managers must work with the Office of General Counsel to include appropriate
contract language in contracts under $50,000.
Complete the following:
We do not use service providers in connection with accounts covered by the Safeguards Rule.
We use service providers in connection with accounts covered by the Safeguards Rule.
And one of the following:
All service providers are contractually bound to safeguard data in covered accounts.
Not all service providers are contractually bound to safeguard data in covered accounts. If this box is checked, use the
box below to describe the situation and how you plan to comply with this requirement.
5. Annual Information Security Program Review
In an effort to maintain the effectiveness of the University’s Information Security Program, colleges and major administrative
units must complete an annual Compliance Certification form and submit the form to the ISP Coordinator (Controller’s Office).
This certification will confirm department/unit compliance with the University’s Information Security. Colleges and major
administrative units must evaluate and adjust processes and procedures on an ad hoc basis when a material change or other
circumstance occurs that may have a material impact on safeguarding customer information in its care.
Controller’s Office
Help: or 612-624-1617 Page 4 of 4